SonarQube Community 7.9.1 (build 27448), using OWASP ZAP Plugin
The OWASP ZAP Quality Profile currently has a vulnerability that is classified as Minor. I’d like to make this vulnerability be detected as major across all the projects in my SonarQube instance.
So far I have extended the existing quality profile and modified the specific vulnerability to set it as major. I have also made this the default quality profile under the ZAP heading.
For projects that I introduce this vulnerability into, it is categorized as major. However, for projects where this vulnerability already existed, it is being categorized as minor still.
What I’d like to be able to do is make SonarQube categorize existing vulnerabilities/issues based on my new quality profile - whether or not they existed before the quality profile. Is there a way to do this?
You’ve taken the right steps to change the Quality Profile – and it will be applied to all future project scans. To change the existing issues, you’ll have to change the issues themselves; they don’t automatically change when you change the Quality Profile. You can do this via a bulk change from the Issues tab of your SonarQube instance:
Navigate to Issues
Open up the Rules filter and select or search for the rule(s) that you’re interested in
Add more filters, for example if you want to limit this change only to certain projects
Click on the checkbox at the top of the page next to Bulk change; this will select all the issues currently displayed
Now click on Bulk change and change the severity
Note that this is limited to 500 issues at a time, so if you have more than 500 you’ll need to do some additional filtering and do multiple bulk changes.
Is there any way to make this automatically happen or is bulk change the best way to do it?
I just did the bulk change the way you listed and that worked great, just wondering for the future if there is anything I could do to make this happen automatically.
Great that the bulk change is working for you – and it’s definitely the best (and only!) way to make this change. Once an issue is created, it’s dissociated from the rule, so the kind of automatic link you’re after (change the Quality Profile after the issue is created) is not possible.